VMware vCenter Server contains a remotely accessible JMX RMI service that is
not securely configured. An unauthenticated remote attacker who is able
to connect to the service may be able to use it to execute arbitrary
code on the vCenter Server. A local attacker may be able to elevate
their privileges on vCenter Server.

VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous
researcher working through HP's Zero Day Initiative for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue.

CRITICAL UPDATE

VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did
not address the issue.

In order to address the issue on these versions of vCenter Server Windows, an
additional patch must be installed. This additional patch is available
from VMware Knowledge Base (KB) article 2144428.

In case the Windows Firewall is enabled on the system that has vCenter
Server Windows installed, remote exploitation of CVE-2015-2342 is not
possible. Even if the Windows Firewall is enabled, users are advised to
install the additional patch in order to remove the local privilege
elevation.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

6. Change log

2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the
release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to
alert customers to a non-security issue in ESXi 5.5 U3 that is addressed
in ESXi 5.5 U3a.

2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342
is fixed in an earlier vCenter Server version (6.0.0b) than originally
reported (6.0 U1) and that the port required to exploit the
vulnerability is blocked in the appliance versions of the software (5.1
and above).